Elevate eoapi db user permissions and rely on pgstac for db migrations.

pantierra · pantierra · commit 1e495158f6ae · 2025-06-16T17:46:53.000+02:00
diff --git a/helm-chart/eoapi/templates/pgstacbootstrap/configmap.yaml b/helm-chart/eoapi/templates/pgstacbootstrap/configmap.yaml
@@ -44,29 +44,3 @@ data:
   {{- end }}
 {{- end }}
 {{- end }}
----
-{{- if .Values.postgrescluster.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: initdb
-data:
-  initdb.sql: |
-    \c {{ .Values.pgstacBootstrap.settings.database }}
-    CREATE EXTENSION IF NOT EXISTS postgis;
-    CREATE EXTENSION IF NOT EXISTS btree_gist;
-    CREATE EXTENSION IF NOT EXISTS unaccent;
-    CREATE ROLE pgstac_admin;
-    CREATE ROLE pgstac_read;
-    CREATE ROLE pgstac_ingest;
-    ALTER DATABASE {{ .Values.pgstacBootstrap.settings.database }} OWNER TO {{ .Values.pgstacBootstrap.settings.user }};
-    ALTER USER {{ .Values.pgstacBootstrap.settings.user }} SET search_path TO pgstac, public;
-    ALTER ROLE {{ .Values.pgstacBootstrap.settings.user }} WITH CREATEROLE;
-    ALTER DATABASE {{ .Values.pgstacBootstrap.settings.database }} set search_path to pgstac, public;
-    GRANT CONNECT ON DATABASE {{ .Values.pgstacBootstrap.settings.database }} TO {{ .Values.pgstacBootstrap.settings.user }};
-    GRANT ALL PRIVILEGES ON TABLES TO {{ .Values.pgstacBootstrap.settings.user }};
-    GRANT ALL PRIVILEGES ON SEQUENCES TO {{ .Values.pgstacBootstrap.settings.user }};
-    GRANT pgstac_read TO {{ .Values.pgstacBootstrap.settings.user }} WITH ADMIN OPTION;
-    GRANT pgstac_ingest TO {{ .Values.pgstacBootstrap.settings.user }} WITH ADMIN OPTION;
-    GRANT pgstac_admin TO {{ .Values.pgstacBootstrap.settings.user }} WITH ADMIN OPTION;
-{{- end }}
diff --git a/helm-chart/eoapi/templates/pgstacbootstrap/eoapiuser-permissions-upgrade.yaml b/helm-chart/eoapi/templates/pgstacbootstrap/eoapiuser-permissions-upgrade.yaml
@@ -1,18 +1,15 @@
 {{- if and .Values.postgrescluster.enabled .Values.pgstacBootstrap.enabled }}
 ---
-# This job is part of the upgrade process from pre-0.7.0 versions.
-# Prior to 0.7.0, database schema updates were run with superuser privileges.
-# This job ensures proper permissions are granted to the eoapi user during upgrade.
-# TODO: Remove with the next mayor verson and add to documentation that one needs to
-# through 0.7.x when upgrading.
+# The eoapi database user runs pgstac migrate and needs some elevated permissions
+# without being a superuser.
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: pgstac-eoapiuser-permissions-upgrade
   labels:
     app: pgstac-eoapiuser-permissions-upgrade
   annotations:
-    helm.sh/hook: "post-upgrade"
+    helm.sh/hook: "post-install,post-upgrade"
     helm.sh/hook-weight: "-7"
     helm.sh/hook-delete-policy: "before-hook-creation"
 spec:
@@ -34,9 +31,8 @@ spec:
               set -e
 
               # Run permission setup with superuser
-              echo "Applying superuser permissions for upgrade from version {{ .Values.previousVersion }}..."
-              PGUSER=postgres psql -f /opt/sql/initdb.sql
-
+              echo "Applying elevated permissions"
+              PGUSER=postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE \"$PGDATABASE\" TO \"$EOAPI_USER\";"
               echo "Permissions upgrade complete"
           resources:
             {{- toYaml .Values.pgstacBootstrap.settings.resources | nindent 12 }}
@@ -49,6 +45,11 @@ spec:
                 secretKeyRef:
                   name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-postgres
                   key: user
+            - name: EOAPI_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $.Values.postgrescluster.name | default $.Release.Name }}-pguser-eoapi
+                  key: user
             - name: PGPORT
               valueFrom:
                 secretKeyRef:
diff --git a/helm-chart/eoapi/values.yaml b/helm-chart/eoapi/values.yaml
@@ -69,19 +69,19 @@ comment_db: >
 postgresql:
   # Management type: "postgrescluster" (default), "external-plaintext", or "external-secret"
   type: "postgrescluster"
-  
+
   # Configuration for external PostgreSQL (used when type is "external-plaintext" or "external-secret")
   external:
     # Connection information
     host: ""
     port: "5432"
     database: "eoapi"
-    
+
     # Credentials configuration (used when type is "external-plaintext")
     credentials:
       username: ""
       password: ""
-    
+
     # Secret reference (used when type is "external-secret")
     existingSecret:
       name: ""
